cara/app-config/nginx/nginx.conf

worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    server {
        listen       8080 default_server;
        listen       [::]:8080 default_server;
        server_name  _;
        root         /opt/app-root/src;

        # Load configuration files for the default server block.
        include /opt/app-root/etc/nginx.default.d/*.conf;

        large_client_header_buffers 4 16k;

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 86400;

        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        location /auth {
            proxy_pass_request_body off;

            proxy_set_header Host $http_host;
            proxy_set_header Content-Length "";
            proxy_set_header If-None-Match "";
            proxy_pass http://auth-service:8080;
        }

        location @error401 {
            # Store the request_uri (complete with args) to be redirected to
            # when we hit /auth/complete.
            add_header Set-Cookie "POST_AUTH_REDIRECT=$request_uri;";
            return 302 /auth/login;
        }

        location @proxy_404_error_handler {
            # Pass the request on to the webservice. Most likely the URI won't
            # exist so we get a 404 from that service instead (good as the 404
            # pages are consistent).
            proxy_pass http://cara-webservice:8080/$request_uri;
        }

        location /voila-server/ {
            proxy_intercept_errors on;

            # Anything under voila-server or expert-app is authenticated.
            auth_request /auth/probe;
            error_page 401 = @error401;
            error_page 404 = @proxy_404_error_handler;

            # cara-app is the name of the voila server in each of docker-compose,
            # test-cara.web.cern.ch and cara.web.cern.ch.
            proxy_pass http://cara-app:8080/voila-server/;
        }
        rewrite ^/expert-app$ /voila-server/voila/render/cara.ipynb last;
        rewrite ^/(files/static)/(.*)$ /voila-server/voila/$1/$2 last;

        # Before implementing the nginx router we could access /voila/render/cara.ipynb.
        # Redirect this (and all other) URLs to the new scheme.
        absolute_redirect off;
        rewrite ^/voila/(.*)$ /voila-server/voila/$1 redirect;

        location / {
            # By default we have no authentication.
            proxy_pass http://cara-webservice:8080;
        }

        location /calculator {
            return 302 /calculator-cern;
        }

        location /calculator-cern {
            # CERN calculator is authenticated.
            auth_request /auth/probe;
            error_page 401 = @error401;

            # cara-webservice is the name of the tornado server (for the calculator)
            # in each of docker-compose, test-cara.web.cern.ch and cara.web.cern.ch.
            proxy_pass http://cara-webservice:8080/calculator-cern;
        }

        location /calculator-open {
            # Public open calculator
            proxy_pass http://cara-calculator-open:8080/calculator-open;
        }
    }
}